Documentation TYPO3 par Ameos

check_user_privileges.lib.php

00001 <?php
00002 /* $Id: check_user_privileges.lib.php,v 1.2 2005/07/24 12:00:48 nijel Exp $ */
00003 // vim: expandtab sw=4 ts=4 sts=4:
00004 
00005 // Get user's global privileges ($dbh and $userlink are links to MySQL
00006 // defined in the "common.lib.php" library)
00007 // Note: if no controluser is defined, $dbh contains $userlink
00008 
00009 $is_create_priv  = FALSE;
00010 $is_process_priv = TRUE;
00011 $is_reload_priv  = FALSE;
00012 $db_to_create    = '';
00013 
00014 // We were trying to find if user if superuser with 'USE mysql'
00015 // but users with the global priv CREATE TEMPORARY TABLES or LOCK TABLES
00016 // can do a 'USE mysql' (even if they cannot see the tables)
00017 $is_superuser    = PMA_DBI_try_query('SELECT COUNT(*) FROM mysql.user', $userlink, PMA_DBI_QUERY_STORE);
00018 
00019 function PMA_analyseShowGrant($rs_usr, &$is_create_priv, &$db_to_create, &$is_reload_priv) {
00020 
00021     $re0 = '(^|(\\\\\\\\)+|[^\])'; // non-escaped wildcards
00022     $re1 = '(^|[^\])(\\\)+'; // escaped wildcards
00023     while ($row = PMA_DBI_fetch_row($rs_usr)) {
00024         $show_grants_dbname = substr($row[0], strpos($row[0], ' ON ') + 4,(strpos($row[0], '.', strpos($row[0], ' ON ')) - strpos($row[0], ' ON ') - 4));
00025         $show_grants_dbname = ereg_replace('^`(.*)`','\\1',  $show_grants_dbname);
00026         $show_grants_str    = substr($row[0],6,(strpos($row[0],' ON ')-6));
00027         if (($show_grants_str == 'ALL') || ($show_grants_str == 'ALL PRIVILEGES') || ($show_grants_str == 'CREATE') || strpos($show_grants_str, 'CREATE')) {
00028             if ($show_grants_dbname == '*') {
00029                 $is_create_priv = TRUE;
00030                 $is_reload_priv = TRUE;
00031                 $db_to_create   = '';
00032                 break;
00033             } // end if
00034             else if ( (ereg($re0 . '%|_', $show_grants_dbname)
00035                     && !ereg('\\\\%|\\\\_', $show_grants_dbname))
00036                     || (!PMA_DBI_try_query('USE ' . ereg_replace($re1 .'(%|_)', '\\1\\3', $show_grants_dbname)) && substr(PMA_DBI_getError(), 1, 4) != 1044)
00037                     ) {
00038                      $db_to_create = ereg_replace($re0 . '%', '\\1...', ereg_replace($re0 . '_', '\\1?', $show_grants_dbname));
00039                      $db_to_create = ereg_replace($re1 . '(%|_)', '\\1\\3', $db_to_create);
00040                      $is_create_priv     = TRUE;
00041                      break;
00042             } // end elseif
00043         } // end if
00044     } // end while
00045 } // end function
00046 
00047 // Detection for some CREATE privilege.
00048 
00049 // Since MySQL 4.1.2, we can easily detect current user's grants
00050 // using $userlink (no control user needed)
00051 // and we don't have to try any other method for detection
00052 
00053 if (PMA_MYSQL_INT_VERSION >= 40102) {
00054     $rs_usr = PMA_DBI_try_query('SHOW GRANTS', $userlink, PMA_DBI_QUERY_STORE);
00055     if ($rs_usr) {
00056         PMA_analyseShowGrant($rs_usr,$is_create_priv, $db_to_create, $is_reload_priv);
00057         PMA_DBI_free_result($rs_usr);
00058         unset($rs_usr);
00059     }
00060 } else {
00061 
00062 // Before MySQL 4.1.2, we first try to find a priv in mysql.user. Hopefuly
00063 // the controluser is correctly defined; but here, $dbh could contain
00064 // $userlink so maybe the SELECT will fail
00065 
00066     if (!$is_create_priv) {
00067         $res                           = PMA_DBI_query('SELECT USER();');
00068         list($mysql_cur_user_and_host) = PMA_DBI_fetch_row($res);
00069         $mysql_cur_user                = substr($mysql_cur_user_and_host, 0, strrpos($mysql_cur_user_and_host, '@'));
00070 
00071         $local_query = 'SELECT Create_priv, Reload_priv FROM mysql.user WHERE ' . PMA_convert_using('User') . ' = ' . PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ' OR ' . PMA_convert_using('User') . ' = ' . PMA_convert_using('', 'quoted') . ';';
00072         $rs_usr      = PMA_DBI_try_query($local_query, $dbh); // Debug: or PMA_mysqlDie('', $local_query, FALSE);
00073         if ($rs_usr) {
00074             while ($result_usr = PMA_DBI_fetch_assoc($rs_usr)) {
00075                 if (!$is_create_priv) {
00076                     $is_create_priv  = ($result_usr['Create_priv'] == 'Y');
00077                 }
00078                 if (!$is_reload_priv) {
00079                     $is_reload_priv  = ($result_usr['Reload_priv'] == 'Y');
00080                 }
00081             } // end while
00082             PMA_DBI_free_result($rs_usr);
00083             unset($rs_usr, $result_usr);
00084         } // end if
00085     } // end if
00086 
00087     // If the user has Create priv on a inexistant db, show him in the dialog
00088     // the first inexistant db name that we find, in most cases it's probably
00089     // the one he just dropped :)
00090     if (!$is_create_priv) {
00091         $local_query = 'SELECT DISTINCT Db FROM mysql.db WHERE ' . PMA_convert_using('Create_priv') . ' = ' . PMA_convert_using('Y', 'quoted') . ' AND (' . PMA_convert_using('User') . ' = ' .PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ' OR ' . PMA_convert_using('User') . ' = ' . PMA_convert_using('', 'quoted') . ');';
00092         $rs_usr      = PMA_DBI_try_query($local_query, $dbh, PMA_DBI_QUERY_STORE);
00093         if ($rs_usr) {
00094             $re0     = '(^|(\\\\\\\\)+|[^\])'; // non-escaped wildcards
00095             $re1     = '(^|[^\])(\\\)+';       // escaped wildcards
00096             while ($row = PMA_DBI_fetch_assoc($rs_usr)) {
00097                 if (ereg($re0 . '(%|_)', $row['Db'])
00098                     || (!PMA_DBI_try_query('USE ' . ereg_replace($re1 . '(%|_)', '\\1\\3', $row['Db'])) && substr(PMA_DBI_getError(), 1, 4) != 1044)) {
00099                     $db_to_create   = ereg_replace($re0 . '%', '\\1...', ereg_replace($re0 . '_', '\\1?', $row['Db']));
00100                     $db_to_create   = ereg_replace($re1 . '(%|_)', '\\1\\3', $db_to_create);
00101                     $is_create_priv = TRUE;
00102                     break;
00103                 } // end if
00104             } // end while
00105             PMA_DBI_free_result($rs_usr);
00106             unset($rs_usr, $row, $re0, $re1);
00107         } // end if
00108         else {
00109             // Finally, let's try to get the user's privileges by using SHOW
00110             // GRANTS...
00111             // Maybe we'll find a little CREATE priv there :)
00112             $rs_usr      = PMA_DBI_try_query('SHOW GRANTS FOR ' . $mysql_cur_user_and_host . ';', $dbh, PMA_DBI_QUERY_STORE);
00113             if (!$rs_usr) {
00114                 // OK, now we'd have to guess the user's hostname, but we
00115                 // only try out the 'username'@'%' case.
00116                 $rs_usr      = PMA_DBI_try_query('SHOW GRANTS FOR ' . $mysql_cur_user . ';', $dbh, PMA_DBI_QUERY_STORE);
00117             }
00118             unset($local_query);
00119             if ($rs_usr) {
00120                 PMA_analyseShowGrant($rs_usr,$is_create_priv, $db_to_create, $is_reload_priv);
00121                 PMA_DBI_free_result($rs_usr);
00122                 unset($rs_usr);
00123             } // end if
00124         } // end elseif
00125     } // end if
00126 } // end else (MySQL < 4.1.2)
00127 
00128 // If disabled, don't show it
00129 if (!$cfg['SuggestDBName']) {
00130     $db_to_create = '';
00131 }
00132 
00133 ?>
00134 


Généré par Le spécialiste TYPO3 avec  doxygen 1.4.6